SLIDE 1
Rafael Pass
Analysis and Design of Blockchains
Rafael Pass
Based on [P-Seeman-Shelat] and [P-Shi]
Traditional distributed systems:
The “Permissioned” Model
Paxos/PBFT
- Consistency
- Liveness
Rafael Pass Based on [P-Seeman-Shelat] and [P-Shi] Traditional - - PowerPoint PPT Presentation
Rafael Pass Based on [P-Seeman-Shelat] and [P-Shi] Traditional - - PowerPoint PPT Presentation
Analysis and Design of Blockchains Rafael Pass Rafael Pass Based on [P-Seeman-Shelat] and [P-Shi] Traditional distributed systems: The Permissioned Model Consistency Liveness Paxos/PBFT Traditional distributed systems: The
SLIDE 2
SLIDE 3
Traditional distributed systems:
The “Permissioned” Model
Paxos/PBFT
- Nodes a-priori known and authenticated
- 30 years of distributed systems
- Multi-party computation [GMW,BGW, ...]
○ Nearly all works assume authenticated channels
SLIDE 4
The “Permissionless” Model: Bitcoin/Blockchain
The Times 03/Jan/2009 Chancellor on brink of second bailout for banks.
SLIDE 5
The “Permissionless” Model
The Times 03/Jan/2009 Chancellor on brink of second bailout for banks.
- Nodes do not know each other a-priori
- Nodes come and go
- ANYONE can join
- No network synchronization
Relatively little is known about this model
SLIDE 6
- Strong impossibility results known in the “permissionless”
(“unauthenticated”) model [BCLPR05] ○ Consistency is impossible ○ Sybil attacks unavoidable.
■ [BCLPR05] defined “weakened” security model (w/o consistency)
The “Permissionless” Model
SLIDE 7
Nakamoto’s Blockchain [Nak’08]
Prevents Sybil attacks with Proofs-of-Work Puzzles [DN’92] Claims blockchain achieves “public ledger” assuming “honest majority”:
- Consistency:
everyone sees the same history
- Liveness:
everyone can add new transactions
SLIDE 8
Nakamoto’s Blockchain [Nak’08]
Prevents Sybil attacks with Proofs-of-Work Puzzles [DN’92] Claims blockchain achieves “public ledger” assuming “honest majority”
- Consistency: everyone sees the same history
- Liveness: everyone can add new transactions
2 amazing aspects:
- Overcomes permissionless barrier [BCLPR]
- Overcomes ⅓ barrier even in permissioned setting[
2 amazing aspects:
- Overcomes permissionless barrier [BCLPR’05]
- Overcomes ⅓ barrier even in permissioned
setting [LSP’83]
SLIDE 9
Everyone wants a “blockchain”
9
SLIDE 10
- WHAT IS a blockchain?
○ no definition of an “abstract blockchain”
- Does Nakamoto’s protocol achieve CONSISTENCY?
○ “Specific attacks” don’t work [N’08,GKL’15, SZ’15] ○ 49.1% attack (with 10s network delays) claimed [DW’14]
- Is Nakamoto’s consensus OPTIMAL?
○ Several issues known (load,latency,incentives)
Nakamoto’s Blockchain: OPEN PROBLEMS
SLIDE 11
This talk Desiderata of blockchain Nakamoto Achieves Desiderata Overcoming Bottlenecks
SLIDE 12
This talk Desiderata of blockchain Nakamoto Achieves Desiderata Overcoming Bottlenecks
SLIDE 13
What is a blockchain?
SLIDE 14
Idea: Use Proof-of-Work Puzzles to defend against sybil attacks
Users have to do work to cast votes.
SLIDE 15
How to build a “blockchain”
SLIDE 16
How to build a “blockchain”
elaine ➔ mariana: Ƀ50
SLIDE 17
How to build a “blockchain”
“Hash function”
H ( , , )
D >
SLIDE 18
Search for a puzzle solution
puzzle solution
( , , ) D >
Difficulty
H
SLIDE 19
Search for a puzzle solution
puzzle solution
( , , ) D >
Difficulty
H
SLIDE 20
We found a new block
( , , ) D > H
SLIDE 21
Best way to find a solution is brute- force search: model H as RO
( , , ) D > H
SLIDE 22
What if you join network and you see this.
SLIDE 23
Honest nodes only “believe” longest chain
SLIDE 24
Elaine → Mariana
Elaine wants to erase this transaction
SLIDE 25
Elaine → Mariana
For Elaine to erase his transaction, he has to find a longer chain!
SLIDE 26
Elaine → Mariana
“If transaction is sufficiently deep, he cannot do this unless he has majority hashpower”
- [Nak’08]: “simply trying to mine alternative chain fails”
- [GLK’15]: in synchronous network
- [SZ’15]: “non-withholding attacks” fail also with Delta-delay
networks
SLIDE 27
“If transaction is sufficiently deep, he cannot do this unless he has majority hashpower”
- [Nak’08]: “simply trying to mine alternative chain fails”
- [GLK’15]: in synchronous network
- [SZ’15]: “non-withholding attacks” fail also with Δ-delays
Elaine → Mariana
SLIDE 28
Blockchain abstraction
Consistency: Honest nodes agree on all but last k blocks
w/ prob exp(-k)
≤ k unstable ≤ k unstable
SLIDE 29
Blockchain abstraction
Consistency: Honest nodes agree on all but last k blocks
w/ prob exp(-k)
≤ k unstable ≤ k unstable
Future-self consistency
SLIDE 30
Blockchain abstraction
Consistency: Honest nodes agree on all but last k blocks
w/ prob exp(-k)
≤ k unstable ≤ k unstable
SLIDE 31
Blockchain abstraction
Consistency: Honest nodes agree on all but last k blocks
w/ prob exp(-k)
Chain quality: Any consecutive k blocks contain “sufficiently many” honest blocks
k
SLIDE 32
Blockchain abstraction
Consistency: Honest nodes agree on all but last k blocks
w/ prob exp(-k)
Chain quality: Any consecutive k blocks contain “sufficiently many” honest blocks Chain growth: Chain grows at a steady rate
SLIDE 33
Blockchain implies “state machine replication” in the permissionless model
Consistency Chain quality Chain growth
Traditional
“state machine replication”
Consistency Liveness
SLIDE 34
This talk Desiderata of blockchain Nakamoto Achieves Desiderata Overcoming Bottlenecks
SLIDE 35
Theorem [P-Seeman-Shelat]:
For every ρ<1/2, if “mining difficulty” is appropriately set (as a function of the network delay Δ, and total mining power), Nakamoto’s blockchain guarantees:
- Consistency
- Chain quality: 1 - ρ/(1-ρ)
- Chain growth: O(1/Δ)
where ρ adv’s fraction of hashpower, and adv controls the network
SLIDE 36
Theorem [P-Seeman-Shelat]:
For every ρ<1/3, if “mining difficulty” is appropriately set (as a function of the network delay Δ, and total mining power), Nakamoto’s blockchain guarantees:
- Consistency
- Chain quality: 1 - (1/3)/(2/3) = 1/2
- Chain growth: O(1/Δ)
where ρ adv’s fraction of hashpower, and adv controls the network
SLIDE 37
Theorem [P-Seeman-Shelat]:
For every ρ<1/2, if “mining difficulty” is appropriately set (as a function of the network delay Δ, and total mining power), Nakamoto’s blockchain guarantees:
- Consistency
- Chain quality: 1 - ρ/(1-ρ)
- Chain growth: O(1/Δ)
where ρ adv’s fraction of hashpower, and adv controls the network
SLIDE 38
Theorem [P-Seeman-Shelat]:
For every ρ<1/2, if “mining difficulty” is appropriately set (as a function of the network delay Δ, and total mining power), Nakamoto’s blockchain guarantees:
- Consistency
- Chain quality: 1 - ρ/(1-ρ)
- Chain growth: O(1/Δ)
where ρ adv’s fraction of hashpower, and adv controls the network “Blocks are found SLOWER than Δ”
SLIDE 39
Theorem [P-Seeman-Shelat]:
For every ρ<1/2, if “mining difficulty” is appropriately set (as a function of the network delay Δ, and total mining power), Nakamoto’s blockchain guarantees:
- Consistency
- Chain quality: 1 - ρ/(1-ρ)
- Chain growth: O(1/Δ)
where ρ adv’s fraction of hashpower, and adv controls the network “Blocktime” >> Δ
SLIDE 40
When c = 60 (10 min blocktime, 10s network delays) Secure: ρ < 49.57 (contradicts [DW’14]’attack!) Attack: ρ > 49.79
“Appropriately set”
SLIDE 41
“Appropriately set”
Mining rate of honest players Mining rate
- f Adv
Network Delay
SLIDE 42
Theorem [Security of Nakamoto]
For every ρ<1/2, if mining difficulty is appropriately set (as a function of the network delay, and total mining power), Nakamoto’s blockchain guarantees a) consistency, b) chain quality 1 - ρ/(1-ρ), and c) Chain growth: O(1/Δ)
Theorem [Blatant attack]:
For every ρ>0, for every mining difficulty, there exists a network delay such that Nakamoto’s blockchain is inconsistent and has 0 chain quality
SLIDE 43
This talk Desiderata of blockchain Nakamoto Achieves Desiderata Overcoming Bottlenecks
SLIDE 44
Terrible performance Not incentive compatible
Nakamoto: ISSUES
SLIDE 45
- Cost per confirmed transaction in Bitcoin: $6.20
- 7 tx/sec, 10 min TX confirmation time
c.f. Visa credit card: average 2,000 tx/sec, peak 59,000 tx/sec
[Source: K. Croman et al. On Scaling Decentralized Blockchains. In Bitcoin workshop, 2016.]
Bitcoin has terrible performance
SLIDE 46
Traditional BFT protocols are performant
PBFT at ~100 nodes: Throughput: ~10,000 tx/sec Confirmation time: ~ seconds
[Source: K. Croman et al. On Scaling Decentralized Blockchains. In Bitcoin workshop, 2016.]
SLIDE 47
Hybrid consensus [P-Shi]
Snailchain TXs BFT committee
SLIDE 48
Hybrid Consensus: The idea
k unstable k
SLIDE 49
PBFT
Hybrid Consensus: The idea
k unstable k
SLIDE 50
PBFT
Hybrid Consensus: The idea
k unstable k
SLIDE 51
k unstable k: PBFT
Committee members sign each (seq #, tx) Non-members count ⅓k
Chain quality: ⅔ committee honest (if ¾ honest overall) Chain growth: this won’t take too long Consistency: everyone agrees on committee
Hybrid Consensus: The idea
SLIDE 52
k unstable k: PBFT
- Committee members sign each confirmed
(seq #, tx)
- Non-members count ⅓k + 1 sigs
Achieves static security Not adaptively secure
- Can deal with it using rotating committees
Hybrid Consensus: The idea
SLIDE 53
Summary
- Nakamoto’s protocol achieves strong robustness properties,
assuming “honest majority of computational power”
➔ Assuming puzzle difficulty is appropriately set as a function of network delay Δ ➔ Blocktime need to be rougly 10 * Δ for to handle ⍴> 0.45 ➔ Leads to high latency (slow confirmation times)
- Can BOOTSTRAP Nakamoto into new blockchain protocols
➔ Low latency (fast confirmation times) ➔ incentive compatible: fruit chains